MikroTik routers grab their pickaxes, descend into the crypto mines

Hacker slips CoinHive code onto network appliances

Researchers have found thousands of MikroTik network routers in Brazil serving up crypto-coin-crafting CoinHive code.

Trustwave researcher Simon Kenin said this week one or more attackers have exploited a known vulnerability in Mikrotik's enterprise routers to inject error pages with code that uses visitors' machines to mine digital dosh for the miscreants.

Kenin says that the attackers have been running an exploit script to gain administrator access over the targeted routers, then installing a custom page that would come up any time an error occurs. Within that page is the actual code that employs any spare compute power on the browsing computer to mine cryptocoins and then transmit them to an address controlled by the attacker.

The exploit itself is not exactly novel, and it's hard to blame the vendor in this case. The targeted vulnerability was patched by MikroTik back in April, just days after it was initially reported. Unfortunately, admins have been slow to patch the bug on their own appliances.

"To MikroTik's credit, they patched the vulnerability within a day of its discovery, but unfortunately there are hundreds of thousands of unpatched (and thus vulnerable) devices still out there, and tens of thousands of them are in Brazil alone," Kenin noted.

Thus far, Kenin said, the attacks are geographically limited to systems in Brazil, though they do appear to be spreading to other places. Additionally, Kenin found, servers connected to the router will also end up injecting the code into other web pages as well.

Ransomware is so 2017, it's all cryptomining now among the script kiddies

"What this means is that this also impacts users who are not directly connected to the infected router's network, but also users who visit websites behind these infected routers," Kenin said.

"In other words, the attack works in both directions."

This is a problem because MikroTik's routers are used by a number of large companies, including ISPs.

"Let me emphasize how bad this attack is. The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices," said Kenin.

"There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily."

Kenin is advising anyone using a MikroTik device to update their firmware as soon as possible to make sure their systems will be protected against the exploit used to install the mining code. ®